diff --git a/Caddyfile b/Caddyfile
index 1a18550..6a61adb 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,6 +1,6 @@
 {
 	on_demand_tls {
-		ask http://app:3000/tls-check
+		ask http://pds:3000/tls-check
 	}
 }
 
@@ -8,5 +8,5 @@
 	tls {
 		on_demand
 	}
-	reverse_proxy app:3000
+	reverse_proxy pds:3000
 }
diff --git a/compose.yml b/compose.yml
index 22b2891..7ff4bad 100644
--- a/compose.yml
+++ b/compose.yml
@@ -5,7 +5,14 @@ services:
   app:
     image: ghcr.io/bluesky-social/pds:0.4.219
     networks:
-      - internal
+      # Unique alias so the caddy sidecar resolves THIS stack's PDS, not a foreign service. On a
+      # shared host the default service name `app` is aliased by every co-located stack on the
+      # `proxy` overlay; caddy (attached to both `proxy` and `internal`) otherwise resolves bare
+      # `app` to another stack's endpoint, so its on-demand-TLS `ask` to the PDS is refused and the
+      # cert is never issued (HTTPS dead). `pds` exists only on `internal`, so it resolves correctly.
+      internal:
+        aliases:
+          - pds
     environment:
       - PDS_HOSTNAME=${DOMAIN}
       - PDS_DATA_DIRECTORY=/pds